Report: malicious 'fake' news links used to socially engineer

A new report from the Institute of Critical Infrastructure Technology has shown that fake news links are often spread to aid the campaigns of APT groups

A new report from the Institute of Critical Infrastructure Technology (ICIT) has undressed the phenomenon of fake news, but not as we know it. Authored by James Scott, a senior fellow at ICIT the report details the use of news links as tools for socially engineering targets.

Fake news often refers to the circulation of false information peddling itself as fact. Often used as a component in the kind of information warfare state actors are fond of, “‘fake news' is ‘old news' for Nation State and Mercenary APTS”, shows a new application for these news links.

News, fake or otherwise, was the most common social engineering lure of 2014. Scott states in the the report that, “cyber-adversaries capitalised on high-profile natural disasters, global events, celebrity gossip, and buzz-worthy headlines. The Sochi Olympics, the World Cup, the death of Robin Williams, the leak of celebrities' private photos from the iCloud and other stories were used by APTs and cyber-criminals to spread malware to victim systems via email, watering-hole sites and malicious advertisements.”

The Naikon group was particularly active in this area during that year. As one of Asia's most active APTs, the group has been spotted snooping on targets around the continent. In 2014, it was caught distributing spear-phishing emails about subjects like Malaysian Airlines Flight 370 loaded with malicious droppers or remote access Trojans.

A more recent offender, adds Scott, is the Dropping Elephant APT. Though discovered in late 2015, this APT group is supposed to have infected 2500 victims in the seven months up to its discovery. The group often spreads copied malware code through watering-holes, dressed up as political news websites covering politics in the South China Sea.

Malicious newslinks are used not only as a means but as an end in itself. In its campaign against leading western media organisations, The Syrian Electronic Army was noted for gaining control of the social media accounts of those organisations and then posting news and propaganda in support of embattled Syrian president, Bashar Al Assad.

This kind of tactic exploits people's natural inclination to follow major developments in the world. Victims might click on a suspect news link for the same reason they might click on legitimate news.

That said, the success of the lure is largely independent from veracity that the link itself claims to hold. Anything that will get the unlucky victim to click will work.

Even the release of Mandiant's report “APT1: Exposing One of China's Cyber-Espionage Units” was marred by this tactic. Symantec eventually discovered a version of the report being distributed on social media that exploited a weakness in Adobe Reader to drop a malware downloader once an expectant reader had opened the file.

In a sense the problem is the way news is distributed. A 2016 survey by the Pew Research Centre showed that 62 percent of US adults get news from social media. For young people, social media often eclipses more orthodox sources with 28 percent, according to a 2016 Reuters study, using social media as their main news source.

Not only does social media speak to people's biases by showing them what they've already looked at, allowing attackers to exploit the biases of potential victims. Hyper tailored lures thus become more effective.

Pieter Arntz of Malwarebytes' research team told SC that "the effectiveness of fake news is based on the ‘echo chamber' effect. If people see something that proves their point, they are usually not inclined to be a critical reader. They share and re-tweet it as fact and others will start to believe it, once they see it coming from the people they follow or their friends."

Amit Ashbel, cyber-security evangelist at Checkmarx told SC: “I think that it's not exactly the fake news that create these excellent lure tactics but rather the targeted news.”

“Modern social engineering campaigns are based on research. Hackers build a persona profile for the people they are after.” Ashbel added, “The more information you expose about your life, the more accurate the social engineering attack will be and this is why ‘fake news' are still successful attack techniques.”

Then again, polarising news often serves just as well. “The important point is its magnetism, not only to attract people to respond to the lure but also to circulate the lure amongst their contacts,” Graham Mann, managing director of Encode Group UK told SC. “Fake news can more often be better as the more extreme the subject matter the more likely the reader is to forget all they have been told and click on it.”